Portable handheld device for wireless order entry and real time payment authorization and related methods

ABSTRACT

A portable handheld device for wireless order entry and real time payment authorization may include a portable housing, a display carried by the housing, an order entry input device carried by the housing, a transaction card input device carried by the housing for reading user sensitive information from a transaction card, a wireless transceiver carried by the housing, and a processor carried by the housing and connected to the display, order entry input device, transaction card input device and wireless transceiver. The processor may be for wirelessly sending input order information, and encrypting and wirelessly sending the user sensitive information from the transaction card without storing and without displaying. The processor may also be for wirelessly receiving and displaying payment authorization information based upon real time authorization from a transaction card issuing entity.

RELATED APPLICATION

This application is based upon prior filed co-pending provisionalapplication Ser. No. 60/673,603 filed Apr. 21, 2005, the entire subjectmatter of which is incorporated herein by reference in its entirety.

FIELD OF THE INVENTION

The present invention relates to the field of wireless networks, and,more particularly, to wireless order entry systems and related methods.

BACKGROUND OF THE INVENTION

Wireless networks are gaining in popularity for point-of-sale (POS)applications, such as in stores and restaurants, for example. Suchnetworks typically include a server or other computer which communicateswirelessly via a wireless router with a plurality of handheld wirelessdevices, such as personal digital assistants (PDAs) carried by waiters,store personnel, etc. The portable wireless devices may be used fortaking orders, checking inventory, and various other tasks which makesemployees more efficient because they do not have to continuously returnto a fixed computer or terminal location.

Various prior art wireless POS systems are known. One example isdisclosed in U.S. Patent Publication No. 2002/0095380, which is directedto a payment system for the restaurant industry that facilitatesefficient payment using a bankcard for a meal in a restaurant. This isdone without providing personal sensitive data from bankcards toemployees/waiters of the restaurant. The payment system includes acentral system, a portable wireless device, a card processor and amerchant system and a bill with a service code that identifies themerchant, the table and the server.

One unfortunate result of the migration to wireless POS networks is thatskimming and counterfeit fraud has significantly increased within thePOS environment. Prior to the introduction of real-time terminalauthorization, criminals were able to create false cards simply byobtaining card information from disregarded sales receipts. In today'selectronic world, the authorization terminal reads additionalinformation included on the card's magnetic stripe. Simple hand helddevices are now available to criminals that can be used to “skim” themagnetic stripe and obtain all the information needed for the creationof a fraudulent card.

In recent years, the industry has witnessed significant growth in thisabusive practice with the development of small, portable devices, whichcan store hundreds of account numbers at a time. Once in possession of acustomer's credit card, the criminal can run the card through thiseasily concealed device and in seconds access and store the magneticstripe information. Skimming usually occurs in businesses where thenormal transaction requires the cardholder to give up possession of thecard, such as in restaurants.

One prior art system which provides some measure of protection againstfraudulently copied credit card information is set forth in U.S. PatentPublication No. 2006/0049256. This published application discloses asecure magnetic stripe card stripe reader (MSR) module and softwaresystem capable of encrypting the magnetic stripe data to CPI, SDP andLISP standards for use in POS and other applications requiring datasecurity using non-secure networks and computing devices. The MSR modulemay also provide detection of fraudulently copied magnetic stripe cards.

Despite the benefits of such systems, further security features may bedesirable in certain wireless POS network systems.

SUMMARY OF THE INVENTION

In view of the foregoing background, it is therefore an object of thepresent invention to provide a portable handheld device, system, andrelated methods for wireless order entry and real time paymentauthorization with desired security features and related methods.

This and other objects, features, and advantages in accordance with thepresent invention are provided by a portable handheld device forwireless order entry and real time payment authorization which mayinclude a housing, a display carried by the housing, an order entryinput device carried by the housing, a transaction card input devicecarried by the housing for reading user sensitive information from atransaction card, and a wireless transceiver carried by the housing. Theportable handheld device may further include a processor carried by thehousing and connected to the display, order entry input device,transaction card input device and wireless transceiver for wirelesslysending input order information, and encrypting and wirelessly sendingthe user sensitive information from the transaction card without storingand without displaying. Moreover, the processor may also be forwirelessly receiving and displaying payment authorization informationbased upon real time authorization from a transaction card issuingentity.

More particularly, the portable handheld device may further include adebit personal identification number (PIN) input device carried by thehousing and connected to the processor. As such, the processor may alsowirelessly encrypt and send debit PIN information without storing andwithout displaying. The wireless transceiver may be a wireless localarea network (WLAN) transceiver, for example. Additionally, theprocessor may send and receive information via a Secure Sockets Layer(SSL) protocol.

The display may be a touch screen, for example, and the order entryinput device may include a user manipulated stylus cooperating with thetouch screen. The portable handheld device may further include a printercarried by the housing, and the processor may also be for printing atransaction receipt. By way of example, the portable handheld device maybe for restaurant order entry, and it may include a memory storingrestaurant menu data.

The portable handheld device may also include a volatile memory storinga private key for encryption. More particularly, at least one tamperresistant structure associated with the volatile memory. Also, theportable handheld device may include a battery carried by the housingand powering the volatile memory, and the at least one tamper resistantstructure may include an encapsulant surrounding the battery and thevolatile memory.

A system for wireless order entry and real time payment authorizationvia the Internet may include a wireless network router connected to theInternet, and at least one portable handheld device, such as the onedescribed briefly above. In addition, a wireless order entry and realtime payment authorization method aspect may include providing aportable handheld device, such as the one described briefly above,wirelessly sending input order information from the portable handhelddevice, and encrypting and wirelessly sending the user sensitiveinformation from the portable handheld device without storing andwithout displaying. The method may further include wirelessly receivingand displaying payment authorization information at the portablehandheld device based upon real time authorization from a transactioncard issuing entity.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a schematic block diagram of a system for wireless order entryand real time payment authorization in accordance with the presentinvention.

FIG. 2 is a schematic block diagram of an exemplary portable handhelddevice for use in the system of FIG. 1.

FIG. 3 is perspective view of an exemplary portable handheld device foruse in the system of FIG. 1.

FIGS. 4 and 5 are flow diagrams illustrating wireless order entry andreal time payment authorization method aspects of the present invention.

FIGS. 6 through 9 are front views of the portable handheld device ofFIG. 3 displaying login, function selection, input (menu) order, anddebit PIN entry screens, respectively.

FIG. 10 is a schematic block diagram of an alternative embodiment of thesystem of FIG. 1.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

The present invention will now be described more fully hereinafter withreference to the accompanying drawings, in which preferred embodimentsof the invention are shown. This invention may, however, be embodied inmany different forms and should not be construed as limited to theembodiments set forth herein. Rather, these embodiments are provided sothat this disclosure will be thorough and complete, and will fullyconvey the scope of the invention to those skilled in the art. Likenumbers refer to like elements throughout, and prime and double primenotation are used to indicate similar elements in alternativeembodiments.

Referring initially to FIGS. 1 through 5, a system 20 for wireless orderentry and real time payment authorization, such as a point-of-sale (POS)system, for example, and related methods are first described. The system20 illustratively includes one or more portable handheld devices 21 a-21n. By way of example, the portable handheld devices 21 a-21 n may bepersonal digital assistant (PDA) devices, as will be discussed furtherbelow, but other suitable portable handheld devices may also be used. Byway of example, one exemplary PDA which may be used is an HP & FAQHX4700. The portable handheld devices 21 a-21 n may include secure dataand/or programs that are used to securely send user sensitiveinformation, such as credit card and debit PIN information, over awireless POS network. As such, the portable handheld devices mayadvantageously be configured by a third party vendor and provided to aretail store, restaurant, etc. for enhanced security, as will bediscussed further below, at Blocks 40, 42 (FIG. 4).

The portable handheld devices 21 illustratively include a portablehousing 22, a display 23 carried by the housing, and an order entryinput device 24 also carried by the housing. In the illustratedembodiment (FIG. 3), the input device is a user manipulated stylus(which is removed from its carrying slot in the housing 22 for clarityof illustration), and the display 23 is a touch screen. It should benoted that in other embodiments different input devices may be used,such as a keypad, buttons, etc., or the touch screen may be the soleorder entry/user input device (with or without a stylus 24).

The portable handheld devices 21 a-21 n further illustratively include arespective transaction card input device, which in the illustratedembodiments are magnetic card readers 25 a-25 n, although other suitabletransaction card input devices may also be used. Each magnetic cardreader 25 is carried by the housing 22 for reading user sensitiveinformation from a transaction card, such as a credit or debit card, aswill be appreciated by those skilled in the art. The portable handhelddevices 21 a-21 n also include a wireless transceiver 26 and associatedantenna 27 carried by the housing 22. By way of example, the above-notedPAQ HX4700 includes a wireless IEEE 802.11b IEEE internal transceivers.

Furthermore, a processor 28 is also carried by the housing 22 and isillustratively connected to the display 23, order entry input device 24,transaction card input device 25 and wireless transceiver 26. Theprocessor 28 may thus wirelessly send input order information obtainedfrom the order input entry device 24 via the wireless transceiver 26 tothe appropriate location, at Block 44. For example, in the illustratedembodiment the processor 28 may send the input order information to aninput order computer 30 via a wireless network router 31. Moreparticularly, the wireless network router 31 may be a wireless LANrouter, such as an IEEE 802.11x or Bluetooth router, for example.

The input order computer 30 may provide a centralized collection pointfor orders to be filled by kitchen workers (i.e., cooks) in the case ofa restaurant, or other product orders in a retail environment, as willbe appreciated by those skilled in the art. It should be noted that insome embodiments the input order information may be sent to a networkprinter in the restaurant kitchen directly and not received or processedby the input order computer 30.

The portable handheld devices 21 a-21 n further illustratively include avolatile memory 32 for storing encryption data, such as a privateencryption key, at Block 52′ (FIG. 5). To provide enhanced protectionagainst potential tampering to compromise the volatile memory and gainaccess to the sensitive data thereof, a tamper resistant structure suchas an encapsulant (e.g., an epoxy) 39 may be placed around a volatilememory 32 and a battery 38 of the portable handheld device 21 (FIG. 2),as will be discussed further below.

A non-volatile memory 33 (e.g., FLASH or optical disk drive) is forstoring other information such as operating system and applicationprograms, and input order (e.g., menu) data provided by the input ordercomputer 30 (Block 54′), etc. That is, the non-volatile memory 33 maystore a menu that it downloads from the input order computer 30 (orother source), which may advantageously be changed from time-to-time onthe premises where the portable handheld devices 21 a-21 n are beingused. Of course, it should be noted that other data such as operatingsystem and application program updates, etc., may also be uploaded tothe portable handheld devices 21 a-21 n. It should also be noted thatseparate memories 32 and 33 need not be used in all embodiments, i.e., asingle memory may be used for storing all of the data (both secure andunsecure).

Access to the cryptographic data (e.g., private cryptographic key,cryptographic software components, etc.) in the volatile memory 32 mayadvantageously be restricted or blocked from the input order computer 30for security purposes, as will be discussed further below. The processor31 also advantageously encrypts and wirelessly sends the user sensitiveinformation from a transaction card (e.g., debit or credit) withoutstoring and without displaying same, at Block 46 (FIG. 4), as will alsobe discussed further below. This advantageously helps reduce the chanceof a criminal or even an employee with access to a portable handhelddevice 21 from obtaining the user sensitive information. The processor28 also is for wirelessly receiving and displaying payment authorizationinformation based upon real time authorization from a transaction cardissuing entity, at Block 48, thus concluding the method illustrated inFIG. 4 (Block 50).

An exemplary sequence of operational display screens of the portablehandheld devices 21 a-21 n are shown in FIGS. 6-8. In a first displayscreen (FIG. 6), the processor 28 prompts a user (e.g., awaiter/waitress, manager, etc.) to provide a user name and password togain operational access to the portable handheld device 21. Onceauthenticated, a second display screen (FIG. 7) provides the user with achoice of various operations or functions that can be performed, such asdisplaying a menu for taking orders (FIG. 8), viewing previouslysubmitted orders, and processing payments for orders.

Most debit or check cards typically require a user to provide a personalidentification number (PIN) at the time of purchase. Similarly, somecredit card transactions require users to provide an identifying number,such as a billing zip code, for example. To this end, the portablehandheld devices 21 a-21 n may further include a debit personalidentification number (PIN) input device, such as a touch screen (withor without stylus), as illustrated in FIG. 9. Here again, other PINinput devices such as a keyboard, etc., may also be used. Thus, fortransactions where a PIN or other identifying indicia is required (Block56′), the processor 28 collects the debit PIN via the debit PIN inputdevice (Block 58′) and also preferably wirelessly encrypts and sends thedebit PIN information along with the user sensitive information from thecard (i.e., account number, etc.), again without storing and withoutdisplaying for enhanced security (Block 46′).

In particular, storing of the user sensitive data and/or debit PINinformation may be avoided by using a Secure Sockets Layer (SSL)protocol for communications between the processor 28 and the transactioncard issuing entity 34. As shown in the illustrated embodiment, thecommunications between the processor 28 and the transaction card issuingentity 34 are over the Internet 36. In some embodiments, each processor28 may also communicate with an inventory server 35 via the Internet,which may advantageously maintain inventory for one or more stores,restaurants, etc., as orders are taken and processed.

The inventory server 35 may also be used to provide accounting servicesfor the given store, restaurant, etc. Another advantageous use for theinventory server 35 is that it may be used to provide software, menu, orother updates to the portable handheld devices 21 a-21 n via theInternet 36 to be stored in the non-volatile memory 33. Of course,updates to red data stored in the volatile memory 32 may potentially beupdated in this fashion as well, if desired, as will be appreciated bythose skilled in the art. The portable handheld device may furtherinclude a printer 37 carried by the housing 22 in some embodiments. Theprocessor 28 may thereby print a transaction receipt for a customer, atBlock 60′.

An alternative arrangement of the system 20″ providing a secure wirelessinternet payment environment (SWIPE) is now discussed with reference toFIG. 10. Generally speaking, certain core functions of the system 20″include order entry and payment acceptance abilities. The portablehandheld devices 21″ allow order entry functionality and paymentacceptance by reading information from a coupled magnetic card reader25, and orders and payment information are transmitted wirelessly to asecured server 38″. Credit card and debit PIN requests are capturedusing an encrypted interface which sends payment information usingencryption and approved industry standards. Each individual device 21 isused to place orders and may be presented to the customer to initiatefinal payment.

More particular, the SWIPE is a wireless electronic dual order entry/POSsystem. The portable electronic device 21″ may collect information usingtouch screen technology, and the coupled card reader 25″ captures creditand debit PIN information, which is encrypted and transmitted to a cardissuing bank 34″ using a secured wireless connection (e.g., and SSLconnection). Hardware components are protected to reduce the likelihoodof tampering and or accessing internal components of the device 21″. Thecardholder's credit card, debit PIN and/or gift card information isencrypted into a secured file packet and transmitted using a real timeauthorization process transmitting data direct to issuing bank 34″including, for example, VISA, MasterCard, JCB (Japanese Credit Bureau)and local PIN debit networks.

The portable handheld device 21″ preferably does not have the ability tostore or display credit card or debit PIN information on the physicaldevice, nor to store any sensitive information in the internal memory orbuffers of the input device. The cardholder will advantageously have theability to initiate the payment process using a series of screens whichtransmits data to issuing bank 34″ and verifies a completed transaction,allowing the customer to protect personal card information to reduceskimming violability, the central component in identity theft.

As noted above, an SSL protocol may be used to provide secured datatransmission to the issuing bank 34″ so that the portable handhelddevices 21″ do not have to store, display or posses the ability tootherwise output sensitive data. Moreover, the portable handheld devices21″ and wireless network routers 31″ are the only components required totransmit data, and thus a server need not be kept at a store orrestaurant premises with sensitive information stored thereon. Allprompts are protected against penetrations, modifications andalterations, and the portable handheld device 21″ may also include aprinter 37″ for printing receipts generated as a result of a saletransaction. The printers 37″ may be coupled to respective devices 21,or physically detached therefrom as shown in FIG. 10 and communicatewirelessly therewith. In this way, the printers 37″ may be sharedbetween multiple devices 21″, if desired.

The system 20″ and, more particularly, the portable handheld device 21″may advantageously be used for restaurant/hospitality, mobile and retailenvironments, for example, having a total weight and outer dimensionspermitting a person to relatively easily carry it in hand whileinputting and transmitting data. In the illustrated embodiment, a PDArestaurant environment 70″ includes physically and logically securedportable handheld devices 21″ communicating using secured wirelesscommunication capabilities to connect to receipt and service printers,secured SSL two-way communications to the server 38″ via the Internet36″, processor and issuing banks 34″, as well as backend management andreporting systems 39″, as will be appreciated by those skilled in theart.

A PDA mobile environment 71″ also illustratively includes physically andlogically secured portable devices 21″ communicating using securedwireless communication capabilities (e.g., satellite 65″ communicationlinks) to connect to receipt and service printers 37″, secured SSLtwo-way communications to the server 38″, processor and issuing banks34″, as well as the backend management and reporting systems 39″.Additionally, a FDA retail environment 72″ illustratively includesphysically and logically secured portable devices 21″ communicatingusing secured wireless communication capabilities to connect to receiptand service printers 37″, secured SSL two-way communications to theserver 38″, processor and issuing banks 34″, and backend management andreporting systems 39, as discussed above.

Further operational aspects and advantages will be understood withreference to another exemplary SWIPE implementation. Preferably, allSWIPE applications are supported by the Windows CE operating systems(OS): ASP.NET, Windows .NET Web Services, WEP Encryption, Microsoft .NetCompact Framework, and SSL Encryption. Utilizing the Microsoft .NETCompact Framework application on a PDA provides secure communicationover a wireless network, which communicates over the wired Internetusing SSL encryption, retrieving data from a Microsoft .NET Web service.

Microsoft® Windows® CE is an open, scalable, 32-bit operating systemthat is designed to meet the needs of a broad range of intelligentdevices, from enterprise tools such as industrial controllers,communications hubs, and point-of-sale terminals to consumer productssuch as cameras, telephones, and home entertainment devices. A typicalWindows CE-based embedded system targets a specific use, runsdisconnected from other computers, and requires an operating system thathas a small footprint and a built-in deterministic response tointerrupts.

The .NET Framework has two main components, namely the common languageruntime and the .NET Framework class library. The class library is acomprehensive, object-oriented collection of reusable types ofapplications ranging from traditional command-line or graphical userinterface (GUI) applications to applications based on the latestinnovations provided by ASP.NET, such as Web Forms and XML Web services.The .NET Framework can be hosted by unmanaged components that load thecommon language runtime into their processes and initiate the executionof managed code, thereby creating a software environment that canexploit both managed and unmanaged features.

SSL is a widely used method for transmitting encrypted data over theInternet. SSL uses public key cryptography to securely generate andexchange a secret key called the session key. The Microsoft® Windows®CE-based client and Microsoft Internet Information Services (IIS) usethe session key to encrypt and decrypt the data they send to oneanother. Connectivity between Microsoft® SQL Server™ 2000 Windows® CEEdition (SQL Server CE) and an instance of Microsoft SQL Server reliesentirely upon properly configuring the security models for both theMicrosoft Internet Information Services (IIS) and SQL Server. In the SQLServer CE connectivity scenario, a Windows CE-based applicationinitiates synchronization by invoking the appropriate SQL Server CEconnectivity solution, either replication or remote data access (RDA).After the SQL Server CE Server Agent is invoked, it connects to aninstance of SQL Server. SQL Server authentication and authorization canbe configured to control access to SQL Server or SQL Serverpublications.

IEEE 802.11 is a set of industry standards for shared wireless localarea network (WLAN) technologies, the most prevalent of which is IEEE802.11b, also known as Wi-Fi. IEEE 802.11b transmits data at 1, 2, 5.5or 11 Megabits per second (Mbps) using the 2.45 gigahertz (GHz) S-BandIndustrial, Scientific, and Medical (ISM) frequency range. The latestimplementation of the standard, 802.11g, transmits data at speeds of upto 54 Mbps. Other wireless devices such as microwave ovens, cordlessphones, wireless video cameras, and devices using another wirelesstechnology known as Bluetooth also use the S-Band ISM. Security for IEEE802.11 includes encryption and authentication. Encryption is used toencrypt, or scramble, the data in wireless frames before they are senton the wireless network. Authentication requires wireless clients toauthenticate themselves before they are allowed to join the wirelessnetwork.

Secured gateways utilize SSL authentication and encryption technology.This is patented technology developed by Netscape Communications andrelies on encryption developed by RSA Data Security, Inc. and othercryptographic providers. SSL encryption protects information beingtransmitted across the Internet from third parties. When remote webbrowsers are accessed by the Gateway Commerce Server, the connectionbetween the “client” and Commerce Server becomes a dedicated “link.”This is done by the exchange of keys between a commerce server and the“client,” which each use the keys for encrypting and decrypting the datawhich is passed between the connection. Transmitting information isencrypted and would appear as jumbled or mangled text across theInternet to the Gateway Commerce Server where the data is decrypted on asecure connection with a server, which uses SSL technology.

A debit PIN user input device may include a Graphical User Interface(GUI) with a plurality of keys (e.g., 13 or more keys) and entrydisplay. The display may show text prompts to guide user through stepsrequired. PIN entry will result in the display of a non-descriptivecharacter per key pressed, and preferably no key identifying sounds willoccur during PIN entry. When a PIN has been entered and the ENTER keyhas been selected, the application will format and encrypt the enteredPIN information using encryption information stored securely in theportable handheld device. User Track 2 data from the credit or debitcard will be present and provided to the encrypting application for usein formatting the PINBLOCK data prior to the entry of PIN information.Following the encryption process, all memory used for the encryption ispreferably immediately zeroed or cleared. Derivation of encryption datawill be performed just prior to each encryption process so that no cleartext encryption data is stored between uses.

Certain existing prior art wireless certified solutions will now bedescribed. The first is analog systems. These systems include machinesthat use wireless data networks. This service offers virtually universalcoverage. However, various types of “roaming charges” from a cellularphone through a connecting “magic box” interface, can add up veryquickly. Plus, the processing units tend to be a bit cumbersome, as theyinclude a terminal (plus its charger), a phone (plus charger), and itsconnecting interface. Moreover, desired coverage is not always availablewith analog systems.

Radio and Cellular Digital Packet Data (CDPD) are similar in that thereis no traditional roaming charge from a cellular company, but as withanalog system coverage varies. Still, various processing companiestypically charge a fixed monthly subscription fee in order to use eitherservice. A main advantage of machines that use these technologies isthat they are “all-in-one” units. CDPD and radio devices providecoverage virtually anywhere, but each of these two technologies havecoverage gaps. CDPD reportedly works better from indoor settings, due tothe frequency range of its radio signal, but it is purportedly lackingcoverage in some major cities. Also, it is possible that a CDPD carriermay not be licensed to operate in every market that has CDPD coverage.

It is predicted that by the year 2007 there will be nearly 120,000 WLAN“hot spot” gateways world-wide, providing access to private and publicnetworks from over 200 million mobile devices being used for business.Furthermore, 85% of wireless security incidents will involve data atrest on the selected devices. In comparison CDPD and radio technologyhave not provided secured multi-purpose functionality, CDPD and radioare limited to the precautions taken by the service provider. SWIPEenhances the security boundary and the benefits of secured CardVerification Value (CVV2) Internet processing and decreases fraud byensuring that the cardholder never looses sight of their card.

In recent years, the industry has witnessed significant growth inskimming and counterfeit fraud with the development of small, portabledevices, which can store up to 100 account numbers at a time. Once inpossession of a customer's credit card, the criminal can run the cardthrough this easily concealed device and in seconds access and store themagnetic stripe information. Skimming usually occurs in businesses wherethe normal transaction requires the cardholder to give up possession ofthe card, such as in restaurants.

To date the payment card industry and relevant government agencies havebeen addressing the issue from a largely independent position. The SWIPEsolution may be a more effective tool by decreasing the opportunity forthese types of fraud to occur. Skimming and counterfeit fraud are muchmore difficult when the cardholder is in possession of his credit card.SWIPE mitigates the opportunity of a criminal gaining access to anindividual's credit card account. More importantly, the combinedsolution represents a real time high level of risk management defensethrough its multiple secured data sources.

VISA PIN entry device certification when granted is provided by VISA toensure PIN entry device (PED) PIN physical and logical securitycharacteristics. Cardholder PIN confidentiality depends on adequate PINsecurity standards and their secure implementation. Therefore,international standards organizations (ANSI and ISO) require migrationfrom the Data Encryption Standard (DES) using single-length keys (SingleDES) to the Triple DES algorithm (TDES), of which the TDES key lengthare at least double-length. VISA adheres to international standards andrequires that all newly deployed PIN entry devices support the use ofTriple DES whenever DES is used to protect the cardholder's PIN, e.g.,online PINs.

The VISA PED Identifier represents the PED model that has been evaluatedsuccessfully by the laboratory and received Visa's approval. Theidentifier consists of the following four (4) components: PED model nameand/or number, hardware version number, firmware version number, andapplication version number. VISA will issue approval letters tomanufacturers with PEDs that have successfully passed a laboratoryevaluation to ensure compliance with VISA and industry standards andspecifications.

In the SWIPE system, a PDA is used for the portable handheld device. Alllogic may reside on a secured Internet server providing encryptedreal-time transactions. Building on familiar platforms, SWIPE offersnumerous payment and value-added options simultaneously. It provides amulti-functional authentication solution that will verify swipedtransactions with the security of the Internet in a real-time POSpayment environment. With SWIPE, faster transaction times may beachieved, as well as increased revenues resulting from increasedspending per transaction and increased frequency of purchases andincreased loyalty. Improved operational efficiency results from reducingoverhead and recourses. Competitive differentiation attracts newcustomers by providing a more convenient payment method.

Various SWIPE Modules may be implemented for different applications. ASWIPE Interface supports operating utility allowing all SWIPE programsto interface with one another. For example, a SWIPE Hospitality programmay store and transfer information to either the credit or debit cardpayment programs. File data storage and transfer include all food andservices ordered. It also supports programs such as pinging to kitchenand bar area, signature capture on screen, debit encryptionstorage/transfers and pinging features on the device.

The SWIPE Hospitality module provides a complete customized menu programwhich can be modified to manage different restaurant or hospitalityneeds. Each menu is stored on a secured web site which allows thehousing, storing, and transfer of order entry data for several customersat once. The utility is also communicates using a SQL protocol supportedby the SWIPE Interface. A SWIPE credit module provides credit/offlinedebit authorization/settlement payment utility capturing all track dataon the payment card including CVV2. Transactions are captured via POSswiping and processed in a real time environment via a secured Internetgateway. Virtual transactions offer faster settlement and payment to amerchant's account.

A SWIPE PIN module provides online debit PIN authorization/settlementpayment utility using 3DES, DUKPT and PIN Block functionality using theSWIPE interface connection port. Transactions are processed through avirtual gateway. Customers can swipe their own check/debit cardsincluding personal PIN to certified debit networks in a real timeenvironment. Moreover, a SWIPE Gift module allows merchants to load anddeduct payments to provide a total integrated solution. A SWIPE Menumodule is a custom configuration opened utility, which can be built tomanage various types of inventory and data. Using the SWIPE Interfaceinput data can be transferred for processing or storage and viewed usingInternet back end management programs.

Retail/restaurant benefits of using the SWIPE system include speed andsecurity of payment, for example. More particularly, industry segmentsin which speed and security of payment are essential can realizesignificant benefits from SWIPE include restaurants (especially finedining establishments); parking facilities, entertainment venues andamusement parks. While business drivers differ for each segment, earlytests of SWIPE have demonstrated the one or more of the followingbenefits may be achieved: faster transaction times; increased revenue;improved operational efficiency and lower operating cost; bettercustomer information; and/or competitive differentiation. Moreparticularly, faster transactions times are achieved by moving to areal-time payment gateway that is faster than such telecom transactions.It is estimated that SWIPE credit or debit can save 10-15 seconds pertransaction with respect to such transactions. In some retail segments,faster customer service may translate directly into increased revenue.Increased revenue may result from increased spending per transaction,increased frequency of purchases, and increased loyalty (when themerchant becomes the customer's preferred retailer). Swiping his or herown card gives the customer a more secured payment option.

Improved operational efficiency and lower operating costs may resultfrom reducing overhead and recourse requirements at merchant locations,reducing card handling and pilferage cost, and improving reliability ofpayment solution. Better customer information enables the retailer tobetter understand customers' behavior by collecting data that could notbe collected with traditional telecom terminal devices. Competitivedifferentiation attracts new customers by providing a more secured,convenient, multi-functional payment method.

SWIPE technology can support numerous payment requests, includingtraditional credit card, debit PIN, pre-authorization and gift or storedvalue payment solutions. Credit and debit transactions require theparticipation of one or more financial institutions and the approval ofa payment association. In North America, the three major cardassociations (American Express, MasterCard and VISA) have establishedInternet payment options with significant issuer participation. Thestronger security of processing on the Internet could help driveincreased sales and telecom processing can be eliminated as a practicalprocessing alternative to a wireless real time transaction solution.

The SWIPE solution may operate at 82 dBm @11 Mbps across a distance ofup to 100 feet or more from a router, for example. The technology willallow programmed data to be transferred between the server and the POSdevice, such as restaurant menus, closed ticket orders, credit card, anddebit and gift card transactions. SWIPE also communicates, stores andtransmits data. The technology eliminates the need for the server towalk away with the customer's credit or debit card to authorizepayments, which has been the most widely used method of gaining thecardholders information for skimming. SWIPE technology introducesadditional points between the authorization/settlement interface and thePOS terminal.

Another advantageous implementation of a SWIPE PED is now described. Inthis implementation, the SWIPE PED comprises an off-the-shelf HP iPAQhx4700 Pocket PC handheld PDA-style device. A magnetic stripe cardreader is connected to the device via the compact flash slot at the topof the PED. The PED runs Microsoft Windows CE 4.21 Pocket PC OS. Specialsoftware from iAnywhere called Maria provides the vendor (SecuredPay inthe present example) the ability to remove unwanted softwareapplications, operating system user interfaces, and lock the deviceinterface and ports. The PIN entry functionality is provided bySecuredPay software loaded on the device. SecuredPay configures thedevice, loads the requisite menus and transaction firmware, thenperforms a system lockdown with the Afaria software before the deviceleaves SecuredPay's premises. No other software can be loaded or changesmade to the device once it is locked without performing a hard reset,which erases all vendor firmware and sensitive information, includingkeys.

Physical protection is provided by an epoxy potting process that isapplied to the device after it is received from HP. A custom epoxypotting compound from System Three is used to fill most voids inside thedevice. The case and main battery are removed. A number of interiorstickers and plastic covers are removed to allow for direct adhesionbetween components. The epoxy is applied using a syringe to the interiorof the device, including between the LCD and the main PCB, around thefront case, covering the touch screen data path, covering the displayoutput, between the main battery and PCB, and in the rear of the case.All sensitive components and data paths are covered in this pottingcompound.

The device case includes five main parts: (1) front case and bezel withopening for the touch screen display; (2) rear case with the space forthe main battery; (3) a black plastic frame that extends on three sidesof the device and is exposed on the two sides and top; (4) main batteryexposed on the rear of the device; and (5) a second black plastic piecewith buttons and touch sensor on the bottom front the device. The PDA isdesigned to be held together with four screws that are inserted from theback and extend through the back, main PCB, large black plastic frame,and attach to the front case. Other plastic tabs also provide someassistance in keeping the device together. During the epoxy pottingprocess, all of the case parts are secured together with the epoxy andthe screws are dipped in the epoxy before being inserted. The top of thescrew hole is then filled with epoxy flush with the rear case.

Once the device has been potted and reassembled, the epoxy is heatcured. The epoxy protection ensures any attempt to gain access to theinterior of the device to disclose future PINs in any way will result inthe destruction of the device or at a minimum leave tamper evidence thatwould have a high probability of detection. The epoxy potting compoundused to fill the interior of the device provides a strong protectionpreventing internal access with the intent of disclosing future PINs.This advantageously provides a relatively high degree of protectionagainst mechanical, chemical, and temperature methods for defeating thepotting material that would otherwise allow an attacker to penetrate andalter the PED to disclose future PINs without damaging the device orcausing tamper evidence that a cardholder would recognize.

Sensitive information handled by the PED takes the form of plaintext PINvalues, prompt messages for numeric input, and cryptographic keys. Oncekeys and firmware, including prompt data, are entered into the PED,there is no mechanism to output these. PIN values are never output inplaintext form, only encrypted. Within the PED, they are stored andprocessed by circuitry within the potting securing the device. This datais fully contained within the PED. All sensitive information andfirmware is stored and processed within components that are protected bythe epoxy potting that secures the device components and case. Allsensitive information and firmware are stored and processed within BGAmounted components within a very small area of the PCB. Very few tracesbetween the processor, RAM, FLASH, and the display controller areaccessible even if the epoxy was defeated.

All prompts used in conjunction with non-PIN data entry are integratedinto the firmware of the PED. This firmware is loaded once atmanufacture and cannot be updated or modified without performing a hardreset of the device which erases all sensitive information and firmware.The firmware does include a function to update the restaurant menuofferings by connecting to a remote server. A separate XML filecontaining these items is downloaded onto the device. None of theseprompts are used in conjunction with non-PIN data input, as the menusystem only allows a server to increment or decrement the quantity ofitems with “+” and “−” buttons. The XML schema does not allow for anyitems other than menu entries to be defined or processed by the PED.This update service does not impact the security of any sensitiveinformation.

All prompts are stored within the physically secured area of the FED.There are no access points to the program storage area, the processor,or any intervening paths. Moreover, when a user enters a debit PIN eachdigit provides a same tone, that is, each PIN digit uses the same sound.The tones are generated by the iPAQ sound card, which is capable ofplaying any tones, and is driven from the main power supply of the PED.The device is designed to conform with appropriate FCC, ANSI, and IEEElimits for intentional radiated power output on the wireless interfacesand spurious emissions.

The PED is a standard size PDA, and cardholder PIN values are enteredinto the device through the main touch screen interface. This allows acardholder to shield the display during PIN entry. The PED is an HP iPAQPDA device custom designed and manufactured for HP. The card readerinterface is designed and manufactured by SemTek Innovative SolutionsCorporation. The casings are not commercially available, making theconstruction of a duplicate device from commonly available componentsimpractical and providing still further security.

Self-tests are performed on power up and periodically. The self-testsinclude a firmware integrity check (SHA256 hash) of all of the firmwarecomponents including SecuredPay.exe PIN pad and encryption program;Afaria program used to lock the device, SWIPE menu and order processingprogram, SIVA firmware integrity check and scheduling software, andselected Windows Mobile 2003 libraries used by the above-noted software.The firmware integrity test is run initially on boot by the SIVAapplication. Subsequent tests are performed periodically triggered bythe SIVA scheduler every 24 hours, for example, or as otherwisespecified. In the event of a firmware integrity check failure, the SIVAapplication will prevent the execution of the firmware and the user willbe denied access through the user interface.

The PED performs a self-test upon start-up and at least once per day tocheck firmware, security mechanisms for signs of tampering, and whetherthe PED is in a compromised state. In the event of a failure, the PEDand it functionality fails in a secure manner. The firmware tests occurautomatically and must successfully pass in order to launch theapplication. A failure will result in a message being displayedindicating that the device has been deactivated and all sensitiveinformation has been erased.

The device has multiple input/output interfaces USB, Compact Flash, SDcard, 802.11b wireless, and the touch screen. After firmware load atSecuredPay, the Afaria software disables the USB port for the remainderof the PED lifecycle. The touch screen is used to perform the one timeinitial key load. No sensitive services or functions are available overthe other interfaces. Data passed to the card processor is checked forproper parameter values.

All PED firmware undergoes a documented process that is applied to allnew releases and updates. Before each release, the source code isreviewed. Firmware is developed using software source code control,specifically Microsoft Visual SourceSafe. The PED displays the firmwareversion number within the SwipeMenu Settings screen.

Asterisks or other similar symbols are displayed on the PED in lieu ofentered PIN digits. The PED is designed to operate in a restaurantsetting where the wait staff will use the device to record the orders ofthe clients directly in the PED. Order totals are calculated by theapplication and the cardholder is prompted to enter a tip amount basedon the order subtotal. Once the tip screen has been completed within theapplication, control of the device is turned over to the firmwarecomponent responsible for displaying the PIN pad and calculating theencrypted PIN block. The separation between the application and firmwareensures that the PIN entry is clearly a separate operation from the menuand tip amount entries.

Sensitive PIN data temporarily resides in buffers within the PED. TheSWIPE application erases the buffers at the completion of the PIN blockencryption, if the transaction is canceled, or the PIN entry times out.The following data is cleared from the internal buffers of the PED: PINdata; intermediary calculation data; and clear text PIN block. The PINentry screen times out in 3 minutes (or other predetermined period) andreturns to the menu software, although other timeout durations may alsobe used.

The only sensitive function or service is a one time TDES DUKPT initialkey load. Firmware updates are performed by SecuredPay and require ahard reset of the device which clears all SecuredPay firmware andsensitive information, including cryptographic keys. The restaurant menuupdate function is not considered to be security relevant. Key loadingcan be performed after firmware has been loaded by SecuredPay. A screenexists that will allow for the TDES DUKPT initial key and KSN to beentered. The TDES DUKPT initial key must be entered as two separatecomponents. This key loading requires two separate key components to beentered along with separate passwords associated with each. Keycomponent and password fields are masked and each component holderenters his key component and password exactly the same twice forverification. If the two passwords have been entered correctly, thedevice will perform the sensitive function combining the two componentstogether, saving the resulting key, and immediately return a messagedisplaying a successful key load.

Once loaded, the key input screen is disabled and further attempts toaccess it display a message that the key has been successfully loadedand the key load request is aborted. A hard reset, which erases allSecuredPay firmware and PIN encryption keys, is the only way to reloadany keys. Passwords and key share values are not displayed during entryand are immediately erased from internal buffers after use.

The sensitive one time key loading function is the only sensitive statepresent in the device. The first individual enters their masked TDESDUKPT initial key component and their masked password into the Part 1key loading screen. No sensitive data or functions are available orprocessed until the Complete KeyPart 1 button is touched. At this timethe firmware resumes control, verifying the first password and cachingthe first key component. The second individual is then prompted to entertheir masked TDES DUKPT initial key component and their masked passwordinto the Part 2 key loading screen. No sensitive data or functions areavailable or processed until the Complete KeyPart 2 button is touched.At no point is the device in a sensitive state waiting for any input orcommands.

The PED processes the PIN as follows. The PED menu application finalizesthe transaction amount and gathers the account information from themagnetic card reader. This information is then passed to the PIN padapplication. The PIN pad application then displays a PIN pad on thetouch screen, and the cardholder enters the PIN and touches the Enterbutton. The PIN pad application immediately calculates the PIN block,encrypts it, and returns it to the menu application.

The PED has characteristics that prevent or significantly deter the useof a stolen device for exhaustive PIN determination (e.g., usingelectromechanical solenoids to depress the keys, so as to try allpossible PINs until the ciphertext produced equals the ciphertextrecorded when the PED was in operational use). For example, the deviceuses a unique key per transaction technique (i.e., prevents the attack).Moreover, the device prevents the entry of the PIN through methods otherthan the keypad, and limits the rate at which the PED will encrypt PINsto the average (e.g., over 120 transactions) of one per 30 seconds(i.e., deters the attack).

The PED implements the DUKPT key management technique as defined by ANSIX9.24 and utilizes Triple-DES encryption in compliance with ISO 9564.The PIN block format is consistent with ISO 9564-1 Format 0. PINencryption keys are managed by the device firmware and cannot beexported from the device. Only a single set of future DUKPT keys existin the device and only a single application uses this set. As notedabove, firmware and application updates are not possible without hardresetting the device, causing all firmware and keys to be lost. Thedevice has no keys for firmware or application updates. As alsodiscussed above, the 3DES DUKPT PIN encryption key is loaded via twoseparate key components held by two individuals. The device does notallow a plaintext single component key to be entered manually orelectronically. The device does not use any public key techniques fordistribution of symmetric secret keys.

There are preferably no mechanisms in the device that will permit theoutput of a private or secret cleartext key or PIN. Moreover, there arealso preferably no commands available through the user interface or USEport to output keys or PIN values. The PIN values are encryptedimmediately upon entry and are erased after they are used to form thePIN block. PIN values are only output as part of an encrypted PIN block.No functionality is provided to read out keys or PINs in plaintext orencrypted under keys that themselves might be disclosed. There is only asingle set of TOES DUKPT keys used exclusively for PIN encryption.

As noted above, all sensitive information is stored and used within thePED housing potted in epoxy. The processor, memory, and storage all havean equal level of physical protection. The device hardware and softwaredo not provide any mechanisms to output cleartext keys outside of thephysically secured area.

The PED and the ICC reader, whether integrated or not, are designed tobe used as unattended devices (e.g., fuel dispenser, vending machine,etc) and are tamper responsive, including precautions againstunauthorized removal. If the PED and the ICC reader are not integratedand the cardholder verification method (i.e., the ICC requires) isdetermined to be an enciphered PIN, then the PIN block is be encipheredbetween the PED and the ICC reader using either an authenticatedencipherment key of the ICC, or in accordance with ISO 9564-1. If thePED and the ICC reader are integrated and the cardholder verificationmethod is determined to be an enciphered PIN, then the PIN block isenciphered using an authenticated encipherment key of the ICC.Additionally, if the PED and ICC reader are integrated and thecardholder verification method is determined to be a plaintext PIN, thenencipherment is not required if the PIN block is transmitted whollythrough a protected environment (as defined in ISO 9564.1 Section 6.3).If the plaintext PIN is transmitted to the ICC reader through anunprotected environment, then the PIN block is enciphered in accordancewith ISO 9564-1.

Many modifications and other embodiments of the invention will come tothe mind of one skilled in the art having the benefit of the teachingspresented in the foregoing descriptions and the associated drawings.Therefore, it is understood that the invention is not to be limited tothe specific embodiments disclosed, and that modifications andembodiments are intended to be included within the scope of the appendedclaims.

That which is claimed is:
 1. A portable handheld device for wirelessorder entry and real time payment authorization comprising: a housing; adisplay carried by said housing; an order entry input device carried bysaid housing; a transaction card input device carried by said housingfor reading user sensitive information from a transaction card; awireless transceiver carried by said housing; and a processor carried bysaid housing and connected to said display, order entry input device,transaction card input device and wireless transceiver for wirelesslysending input order information, encrypting and wirelessly sending theuser sensitive information from the transaction card without storing andwithout displaying the user sensitive information, and wirelesslyreceiving and displaying payment authorization information based uponreal time authorization from a transaction card issuing entity.
 2. Theportable handheld device of claim 1 further comprising a debit personalidentification number (PIN) input device carried by said housing andconnected to said processor; and wherein said processor also wirelesslyencrypts and sends debit PIN information without storing and withoutdisplaying the debit PIN information.
 3. The portable handheld device ofclaim 1 wherein said wireless transceiver comprises a wireless localarea network (WLAN) transceiver.
 4. The portable handheld device ofclaim 1 wherein said processor sends and receives information via aSecure Sockets Layer (SSL) protocol.
 5. The portable handheld device ofclaim 1 wherein said display comprises a touch screen; and wherein saidorder entry input device comprises a user manipulated stylus cooperatingwith said touch screen.
 6. The portable handheld device of claim 1further comprising a printer carried by said housing; and wherein saidprocessor is also for printing a transaction receipt.
 7. The portablehandheld device of claim 1 wherein the portable handheld device is forrestaurant order entry, and further comprising a memory storingrestaurant menu data.
 8. The portable handheld device of claim 1 furthercomprising a volatile memory storing a private key for encryption. 9.The portable handheld device of claim 8 further comprising at least onetamper resistant structure associated with said volatile memory.
 10. Theportable handheld device of claim 9 further comprising a battery carriedby said housing and powering said volatile memory; and wherein said atleast one tamper resistant structure comprises an encapsulantsurrounding said battery and said volatile memory.
 11. A portablehandheld device for wireless restaurant order entry and real timepayment authorization comprising: a housing; a display carried by saidhousing; an order entry input device carried by said housing; at leastone memory for storing restaurant menu data and a private key forencryption; a transaction card input device carried by said housing forreading user sensitive information from a transaction card; a debitpersonal identification number (PIN) input device carried by saidhousing; a wireless transceiver carried by said housing; and a processorcarried by said housing and connected to said display, order entry inputdevice, at least one memory, transaction card input device, debit PINinput device, and wireless transceiver for wirelessly sending inputorder information, encrypting and wirelessly sending user sensitiveinformation from the transaction card and debit PIN information withoutstoring and without displaying the user sensitive information, andwirelessly receiving and displaying payment authorization informationbased upon real time authorization from a transaction card issuingentity.
 12. The portable handheld device of claim 11 wherein saidwireless transceiver comprises a wireless local area network (WLAN)transceiver.
 13. The portable handheld device of claim 11 wherein saiddisplay comprises a touch screen; and wherein said order entry inputdevice comprises a user manipulated stylus cooperating with said touchscreen.
 14. The portable handheld device of claim 11 further comprisinga printer carried by said housing; and wherein said processor is alsofor printing a transaction receipt.
 15. A portable handheld device ofclaim 11 wherein said at least one memory comprises at least onevolatile memory.
 16. The portable handheld device of claim 11 furthercomprising: a battery carried by said housing and powering said at leastone memory; and an encapsulant surrounding said battery and said atleast one memory.
 17. A system for wireless order entry and real timepayment authorization via the Internet and comprising: a wirelessnetwork router connected to the Internet; and at least one portablehandheld device comprising a housing, a display carried by said housing;an order entry input device carried by said housing, a transaction cardinput device carried by said housing for reading user sensitiveinformation from a transaction card, a wireless transceiver carried bysaid housing for wirelessly communicating with said wireless networkrouter, and a processor carried by said housing and connected to saiddisplay, order entry input device, transaction card input device andwireless transceiver for wirelessly sending input order information tosaid wireless network router, encrypting and wirelessly sending the usersensitive information to said wireless network router from thetransaction card without storing and without displaying the usersensitive information, and wirelessly receiving and displaying paymentauthorization information from said wireless network router based uponreal time authorization from a transaction card issuing entity.
 18. Thesystem of claim 17 wherein said at least one portable handheld devicefurther comprises a debit personal identification number (PIN) inputdevice carried by said housing and connected to said processor; andwherein said processor also wirelessly encrypts and sends debit PINinformation without storing and without displaying.
 19. The system ofclaim 17 wherein said wireless network router comprises a wireless localarea network (WLAN) router.
 20. The system of claim 17 wherein said atleast one portable handheld device is for restaurant order entry;wherein said at least one portable handheld device further comprises amemory storing restaurant menu data; and further comprising a menucomputer for sending the menu data to said at least one portablehandheld device via said wireless network router.
 21. The system ofclaim 17 further comprising a volatile memory storing a private key forencryption; wherein said at least one portable handheld device furthercomprises a battery carried by said housing and powering said volatilememory; and further comprising an encapsulant surrounding said batteryand said volatile memory.
 22. The system of claim 17 further comprisingan inventory server connected to the Internet for maintaining aninventory based upon the input order information from said at least oneportable handheld device.
 23. A wireless order entry and real timepayment authorization method comprising: providing a portable handhelddevice comprising a housing, a display carried by the housing, an orderentry input device carried by the housing, a transaction card inputdevice carried by the housing for reading user sensitive informationfrom a transaction card, a wireless transceiver carried by the housing,and a processor carried by the housing and connected to the display,order entry input device, transaction card input device and wirelesstransceiver; wirelessly sending input order information from theportable handheld device; encrypting and wirelessly sending the usersensitive information from the portable handheld device without storingand without displaying the user sensitive information; and wirelesslyreceiving and displaying payment authorization information at theportable handheld device based upon real time authorization from atransaction card issuing entity.
 24. The method of claim 23 wherein theportable handheld device further comprises a debit personalidentification number (PIN) input device carried by the housing andconnected to the processor; and wherein encrypting and wirelesslysending further comprises encrypting and wirelessly sending debit PINinformation without storing and without displaying the user sensitiveinformation.
 25. The method of claim 23 wherein the portable handhelddevice is for restaurant order entry; wherein the at least one portablehandheld device further comprises a memory storing restaurant menu data;and further comprising sending the menu data to the at least oneportable handheld device via a wireless communications link.
 26. Themethod of claim 23 wherein the portable handheld device furthercomprises a volatile memory storing a private key for encryption and abattery carried by the housing and powering the volatile memory; andfurther comprising surrounding the battery and the volatile memory withan encapsulant.